Regression with 1.6.5 sending emails to [email protected]?

[bellwood]

Since yesterday's release and upgrade to 1.6.5, email notifications are being sent to '[email protected]' instead of the address defined for email_address in conf.maldet

Apr 01 2023 03:25:24 host1 maldet(23601): {alert} sent digest alert to [email protected]

Header bits for the outgoing email:

Date: Sat, 01 Apr 2023 03:25:24 +0000
To: [[email protected]](mailto:[email protected])
Subject: maldet alert from [host1](redacted): monitor summary
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Relavent config bits:

email_alert="1"
email_addr="[email protected]"
email_panel_user_alerts="0"
email_panel_from="[email protected]"
email_panel_replyto="[email protected]"
email_panel_alert_subj="maldet alert from redacted"

[rfxn]

@colindclare possibly regression in pr#409
@bellwood reviewing

[colindclare]

@bellwood Thanks for hanging on while we investigated. I'm unable to replicate that behavior using a fresh cPanel 110 install (guessed cPanel based on the email you provided, but please correct me if I'm wrong) on CentOS 7 using the following steps:

• Install LMD 1.6.4 cleanly
• Set email_alert="1" and email_addr to my email address
• Update to LMD 1.6.5
• Run scan on test malware

In all cases, the email was sent correctly to my email address. I also attempted to replicate a possible race condition where the scan occurred during the LMD update to 1.6.5 and pulled in "[email protected]" as email_addr, but I was unable to do so.

Can you confirm if the issue is still occurring? If so, can you provide us with some information on your environment and any custom configurations to LMD you might have made?

[bellwood]

@colindclare since posting, out of all the servers in my cluster, only one has sent an email and it did go to the proper address.

Will perform the steps above on the host that had the issue and report back.

Thank you.

[bellwood]

@colindclare I am unable to reproduce at this time. Should it creep up again I will provide further details. Thank you.

[bellwood]

Sure enough it happened again overnight

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 [email protected]

The following text was generated during the delivery attempt:

------ [email protected] ------

recipient does not have an account.
Reporting-MTA: dns; bosmailscan02.eigbox.net

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Return-path: <[email protected]>
Received: from [10.115.3.2] (helo=bosimpinc02)
    by bosmailscan02.eigbox.net with esmtp (Exim)
    id 1pm4Rv-0007zM-HB
    for [email protected]; Mon, 10 Apr 2023 23:13:39 -0400
Received: from redacted.host ([redacted.ip])
    by bizsmtp with ESMTP
    id m4KaptMM3uyemm4KbpfyTt; Mon, 10 Apr 2023 23:06:05 -0400
X-EN-OrigIP: redacted.ip
X-EN-IMPSID: m4KaptMM3uyemm4KbpfyTt
Received: from root by redacted.host with local (Exim 4.96)
    (envelope-from <[email protected]>)
    id 1pm4Ru-0000Nz-0N
    for [email protected];
    Tue, 11 Apr 2023 03:13:38 +0000
Date: Tue, 11 Apr 2023 03:13:38 +0000
To: [email protected]
Subject: maldet alert from redacted.host: monitor summary
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>
From: root <[email protected]>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - redacted.host
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - redacted.host
X-Get-Message-Sender-Via: redacted.host: authenticated_id: root/primary_hostname/system user
X-Authenticated-Sender: redacted.host: root
X-Source: /usr/lib/systemd/systemd
X-Source-Args: /usr/lib/systemd/systemd --switched-root --system --deserialize 22 
X-Source-Dir: /usr/local/maldetect.bk1186/tmp/.lmdup.19070.1006/maldetect-1.6.5
X-From-Rewrite: unmodified, actual sender is the system user
X-CMAE-Envelope: MS4wfBcwGVsO1l7APf+ceVht1yxr8Uw8Z5+/r97QiqW64l1X6oixQ8+2njCFFVn7Zfa0rz18INUFW1Ah5o2YeKA+GscD5L7t2I1WM9YeBkFtv7p3oN6XUWVH
6hG5xbIy0gG8SolOx5Eh0DQ5kR6KkjikgDhdCwSKVw45Wre1G5w2Wht3
X-EN-Class: impinc

[bellwood]

@rfxn @colindclare this host is now behaving normally.

The clean install of 1.6.4 then upgrade to 1.6.5 did not resolve it. Upon removing the upgraded 1.6.5 install and doing a clean install of 1.6.5 the issue has not presented itself and I am receiving notifications as expected.

Thank you.